Why IT cyberattack measures are not enough
Why IT measures against cyberattacks are not sufficient alone to protect energy and industrial infrastructure sectors
published : 3 Dec 2020 at 14:19
Cyber security has become a familiar term for people in the digital era with issues such as privacy, malicious software, hacking, and data leakage.
However, these Information Technology (IT) systems dealing with data are only a part of the story when it comes to business cyber security. Operation Technology (OT), or operation and control of physical processes, for example industrial control systems, heat control systems, monitor systems, and other customised systems, are also a vital part of business operation, especially in energy and industrial infrastructure sectors.
Cyberattacks on Cyber Physical System (CPS) are on the rise globally with an increasing number of attacks targeting critical infrastructure such as power plants, oil and gas facilities, wastewater facilities, steel mills, industrial systems, and automotive industry. This to a certain extent accounts for the fact that in Thailand, according to a report by Statista, cyber security spending has seen a yearly increase from 2015, and is forecast to reach 0.07% of Thailand’s GDP by 2025.
Mr. Takashi Amano, General Manager, Cyber Security Center, Toshiba Corporation, and Technology Executive & CISO, Toshiba Digital Solutions Corporation, explained the reason of the rise of CPS attacks: “Due to the digital transformation in recent years, many businesses that used to operate in a closed environment have now come into contact with the Internet both directly and indirectly. This may expose the infrastructure to run the risk of access through third parties and exploit devices connected to the Internet. This hyper connectivity can affect the OT systems and potentially lead to various problems, including equipment damage, disruption of work process, and financial and intellectual property loss.”
One of the key solutions to mitigate these cyberattacks is to strengthen cyber resilience of business and companies. Mr. Amano said that the scope of cyber security involves many levels, from those dealing with the external realm, from information network (information security and main server) and control information network (production management server, data analytics, and file server) to the internal network or control network (product security, Industrial Control Systems security or ICS security, and control server).
Therefore, Mr. Amano pointed out that it is now time for businesses to step up and become proactive in coping with cyber security issues instead of staying reactive.
“Sustainable long-term cyber resilience would encompass three core steps to minimise the damage. First, ‘Prepare’ involves prediction and prevention of security intrusion to achieve longer system performance. Second, ‘Mitigate’ means to minimise the impact of incidents by effective detection. Third, ‘Respond & Recover’ includes evaluating up-to-the-minute security threats and channelling feedback to design and development processes. Furthermore, proactive businesses can harness the benefits of AI data collected to reduce the time required and improve the accuracy of threat detection and response.”
This solution is currently applied in Japan where visualisation of assets and continuous monitoring are a key to strengthen cyber resilience. With a reduction in potential cyber threats, the power plant is able to allocate resources more efficiently, minimise disruption to essential services, benefit suppliers, and ultimately end users downstream.
As a consultant on smart manufacturing facility security, Mr. Amano said usually cyber solutions services mainly deal with IT skills, but it would be best for CPS solutions providers to have total knowledge of both IT and OT systems.
“Protection for CPS requires deep understanding of the physical space from experiences in manufacturing equipped with advanced cyber solutions. These will ensure a comprehensive, well-rounded, long-term cyber security strategy in terms of cost, time, and scale, as opposed to point solutions. For instance, here at Toshiba, we have a wide range of business domains of various industries, from devices, products, and infrastructure installation to infrastructure services and data service. The broad experience can better add value and satisfy demands of customers because different organisations at varying stages of technology adoption will have varying needs of priorities for cyber security solutions.”
Moreover, Mr. Amano advised that efficient cyber security solutions should be customised and updated over a long period of time: “It usually takes 1-3 months, depending on the scale, for the AI to learn the network environment, catch any anomalies, and mature the system. Plus, cyberattacks are continuously changing; therefore, our customers generally require not only installing the solutions but also other services, including operating, monitoring, and maintaining the solutions as well as advice in case of incidents.”
The promotion of cyber resilience for critical infrastructure sectors in Thailand is truly an opportunity, said Mr. Amano.
“Right now, many companies don’t have a security team and are vulnerable to cyberattacks on their CPS. The solutions to mitigate such attacks can help enhance security posture of Thailand, especially in the energy and industrial infrastructure sectors. In addition, cyber security policies such as the new Cybersecurity Act of 2019 will push organisations to meet compliance and regulatory requirements for cyber security infrastructure.
“Most importantly, stakeholder education and engagement, standards implementation, protocol standardisation and developing technologies can all drive cost efficiencies. Not to mention the fact that the global pandemic has changed the way businesses operate, popularising telework and pushing for rapid digitalisation.”
Mr. Amano concluded: “Investment in cyber security is extremely vital to counteract the high cost, risk, and downtime that come with the disruption of an increasingly digitalised energy and industrial infrastructure sector. It is truly a worthwhile investment.”